Skip to main content
RedTiger Stealer: GoFile + Discord-Webhook Exfiltration operation cover
COMING SOONIntermediatePRO

RedTiger Stealer: GoFile + Discord-Webhook Exfiltration

A single-host smash-and-grab infostealer intrusion. An artist ran a PyInstaller-compiled executable disguised as a Roblox FPS-unlocker mod that was actually the open-source RedTiger stealer. In one short burst it unpacked to Temp, blackholed security-vendor domains in the hosts file, persisted via the Startup folder, injected JavaScript into the Discord client, and archived Discord tokens, browser credentials and cards, a crypto wallet, a webcam frame, and a screenshot. Exfiltration ran in two stages over legitimate cloud: the loot ZIP was uploaded to GoFile, then the download link plus victim recon was posted to a Discord webhook. Reconstruct the kill chain from SIEM, endpoint XDR, and perimeter firewall telemetry, and classify the key ATT&CK techniques.

55m
7 tasks
50 points
Pro

Launches today

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

XDRSIEMFirewall

What you'll investigate

7 objectives unlock when this operation goes live.

1Incident brief
2Find the initial payload
3Classify the defense-evasion step
4Pin the persistence artifact
5Trace stage one of the exfiltration
6Recover the operator's notification channel
7Classify the exfiltration technique

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever

RedTiger Stealer: GoFile + Discord-Webhook Exfiltration — Coming Soon | SOCSimulator